Overview
To ensure seamless communication between VergeCloud’s edge servers and your origin or main server, it is essential to whitelist VergeCloud’s IP addresses in your firewall configuration. Without whitelisting, your firewall may block legitimate traffic coming from the CDN, which can lead to service interruptions, failed SSL validations, or slow content delivery. By allowing only trusted VergeCloud IPs, you maintain a secure environment while fully benefiting from the performance and security services provided by VergeCloud.
This guide explains two methods for adding VergeCloud’s IP addresses to your firewall using iptables.
Why Whitelisting Is Important
Whenever VergeCloud routes requests to your origin server, your firewall must allow these connections. Whitelisting VergeCloud IP ranges ensures that your origin can communicate safely with edge servers without interruption. This has several important benefits:
Prevent Legitimate Traffic from Being Blocked
If VergeCloud’s IPs are not whitelisted, requests from the CDN may be blocked. This can result in users being unable to access your site or receiving errors when trying to load content. Whitelisting ensures that traffic from VergeCloud edge servers always reaches your origin.
Smooth Content Delivery and SSL Validation
CDN caching, SSL certificate issuance, and secure content delivery all rely on communication between your origin and VergeCloud. By whitelisting VergeCloud IPs, you allow these processes to function without errors.
Enhanced Security
By only allowing connections from verified IP addresses, you reduce the risk of unauthorized access. Your firewall can block all other incoming traffic while still permitting the legitimate VergeCloud requests that are needed for your site to function properly.
Method 1: Add Each IP Range Individually
This approach involves creating separate entries in iptables for each VergeCloud IP range. It is straightforward and works well if you have a small list of IPs that do not change frequently.
Retrieve the list of VergeCloud IP ranges from the
For each IP address in the list, run the following command in your terminal. Replace $ip with the actual IP address:
iptables -I INPUT -p tcp -m multiport --dports http,https -s "$ip" -j ACCEPT
This rule allows incoming HTTP and HTTPS connections specifically from the VergeCloud IP address. Repeat this process for each IP in the list.
While this method is simple, it can become cumbersome when there are many IP ranges or when updates occur frequently. In those cases, the ipset method provides a more efficient solution.
Method 2: Use ipset for Easier Management
The ipset method is more efficient and scalable. It allows you to group multiple IP addresses into a single set and reference that set in iptables. This is ideal for handling large or frequently updated IP lists.
1. Install ipset
If ipset isn’t already installed, install it using the appropriate command for your OS:
1. Ubuntu/Debian:
sudo apt-get install ipset
2. CentOS/RHEL:
sudo yum install ipset
2. Create a Set for VergeCloud IPs
Create a new IP set (replace vergecloud with your preferred name):
ipset create vergecloud hash:net
Note: This list is stored in memory and will be cleared after a system reboot.
To make it persistent, save the configuration and reload it automatically after restart.
3. Apply the ipset List in iptables
Once the IP list is created, apply it to your firewall rules:
iptables -A INPUT -m set --match-set vergecloud src -p tcp -m multiport --dports http,https -j ACCEPT
This rule allows HTTP/HTTPS traffic from any IP in the vergecloud set.
Final Step: Save iptables Configuration
To ensure your new rules persist after reboot, save your iptables configuration:
Debian/Ubuntu:
iptables-save > /etc/iptables/rules.v4
CentOS/RHEL:
iptables-save > /etc/sysconfig/iptables
Summary
Whitelisting VergeCloud’s IP addresses in your firewall ensures that:
- Only trusted edge nodes can connect to your origin server.
- CDN features and SSL operations function without interruption.
- Your origin remains secure against unauthorized access.
Always refer to the official VergeCloud IP Addresses page to get the most up-to-date list of IPs. Regularly updating your firewall rules ensures continuous compatibility with VergeCloud and uninterrupted delivery of content and services.